Tuesday, 14 February 2012

NAT(Network Address Translation)



NAT acts as a middle man between the internal and external network; packets coming from the private network are handled by NAT and then transferred to their intended destination.

A single external address is used on the Internet so that the internal IP addresses are not shown. A table is created on the router that lists local and global addresses and uses it as a reference when translating IP addresses.




NAT can work in several ways:

Static NAT

An unregistered IP address is mapped to a registered IP address on a one-to-one basis - which is useful when a device needs to be accessed from outside the network.

Dynamic NAT

An unregistered IP address is mapped to a registered IP address from a group of registered IP addresses. For example, a computer 192.168.10.121 will translate to the first available IP in a range from 212.156.98.100 to 212.156.98.150.

Overloading

A form of dynamic NAT, it maps multiple unregistered IP addresses to a single registered IP address, but in this case uses different ports. For example, IP address 192.168.10.121 will be mapped to 212.56.128.122:port_number (212.56.128.122:1080).

Overlapping

This when addresses in the inside network overlap with addresses in the outside network - the IP addresses are registered on another network too. The router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses.
How NAT works

A table of information about each packet that passes through is maintained by NAT.

When a computer on the network attempts to connect to a website on the Internet:
the header of the source IP address is changed and replaced with the IP address of the NAT computer on the way out
the "destination" IP address is changed (based on the records in the table) back to the specific internal private class IP address in order to reach the computer on the local network on the way back in

Network Address Translation can be used as a basic firewall – the administrator is able to filter out packets to/from certain IP addresses and allow/disallow access to specified ports. It is also a means of saving IP addresses by having one IP address represent a group of computers.
Setting up NAT

To setup NAT you must start by opening the Configure your server wizard in administrative tools and selecting the RRAS/VPN Server role. Now press next and the RRAS setup wizard will open. The screen below shows the Internet Connection screen in which you must specify which type of connection to the Internet and whether or not you want the basic firewall feature to be enabled.




Press next to continue. The installation process will commence and services will be restarted, after which the finish screen will be displayed - showing what actions have taken place.
Configuring NAT

advertisement

Configuration of NAT takes place from the Routing and Remote Access mmc found in the Administrative Tools folder in the Control Panel or on the start menu.

The screenshot below shows the routing and remote access mmc.




Select which interface you wish to configure and double click it. This will bring up the properties window giving you the option to change settings such as packet filtering and port blocking, as well as enabling/disabling certain features, such as the firewall.

The remote router (set up previously) properties box is shown below. The NAT/Basic Firewall tab is selected.




You are able to select the interface type – to specify what the network connection will be. In my example I have selected for the interface to be a public interface connected to the internet. NAT and the basic firewall option have also been enabled. The inbound and outbound buttons will open a window that will allow you restrict traffic based on IP address or protocol packet attributes. As per your instructions, certain TCP packets will be dropped before they reach the client computer. Thus, making the network safer and giving you more functionality. This is useful if, for example, you wanted to reject all packets coming from a blacklisted IP address or restrict internal users access to port 21 (ftp).

For further firewall configuration, go to the Services and Ports tab. Here you can select which services you would like to provide your users access to. You can also add more services by specifying details such as the incoming and outgoing port number.




The list of services shown in the above screenshot are preset. Press Add to bring up the window that will allow the creation of a new service or select an available service and press Edit to modify that service. You will be asked to specify the name, TCP and UDP port number and the IP address of the computer hosting that service.

If the services in the list aren’t enabled then any client computer on the Windows 2003 domain will not be able to access that specific service. For example, if the computer was configured as shown in the image above and a client computer tried to connect to an ftp site, he would be refused access. This section can prove to be very useful for any sized networks, but especially small ones.

That concludes this article. As you have seen, Network Address Translation is a useful feature that adds diversity and security to a network in a small to medium sized company. With the advent, and implementation, of IPv6 still in its beginning stages, we can expect to see NAT being used for many years to come.
Posted by at No comments:

Friday, 27 January 2012

How to Configure Disk Quotas from a Command Prompt


How to Configure Disk Quotas from a 

Command Prompt

To view and manage disk quotas from scripts or from the command line, use the Fsutil administrative command-line utility.
Useful Fsutil commands include:
  • fsutil quota query C: Displays quota information about the C volume, as the following example shows. C:\>fsutil quota query C:
    FileSystemControlFlags = 0x00000301

    Quotas are tracked on this volume
    Logging for quota events is not enabled
    The quota values are incomplete

    Default Quota Threshold = 0xffffffffffffffff
    Default Quota Limit = 0xffffffffffffffff

    SID Name = BUILTIN\Administrators (Alias)
    Change time = Tuesday, April 11, 2006 7:54:59 AM
    Quota Used = 0
    Quota Threshold = 18446744073709551615
    Quota Limit = 18446744073709551615
  • fsutil quota track C: Enables disk quotas on the C volume.
  • fsutil quota disable C: Disables disk quotas on the C volume.
  • fsutil quota enforce C: Enables disk quota enforcement on the C volume, which causes Windows to deny disk access if a quota is exceeded.
  • fsutil quota modify C: 3000000000 5000000000 Contoso\User Creates a disk quota entry for the user Contoso\User. The first number (3,000,000,000 in the preceding example) enables a warning threshold at about 3 GB, and the second number (5,000,000,000 in the preceding example) enables an absolute limit of about 5 GB.
For complete usage information, run fsutil /? from a command prompt.









By:-Yogendra Singh Negi
Posted by at No comments:

How to Create Symbolic Links to Shared Folders


How to Create Symbolic Links to Shared Folders

You can create symbolic links on the local file system to files stored on other local drives or shared folders. However, when you use the mklink command, you must always specify the absolute path to the remote target file because the mklink command by default assumes that the location is relative. For example, suppose you want to create a symbolic link named C:\Link.txt that targets a file on a shared folder at Z:\Target.txt. If you run the following commands, you will successfully create a symbolic link at 

C:\Link.txt.

C:\>Z:

Z:\>mklink C:\link.txt target.txt

However, that file will link to C:\Target.txt and not the intended Z:\Target.txt. To create a link to the Z:\Target.txt file, you need to run the following command.

C:\>mklink C:\link.txt Z:\target.txt

The mklink command also allows you to create a symbolic link targeting a Universal Naming Convention (UNC) path. For example, if you run the following command, Windows will create a symbolic link file called Link.txt that opens the Target.txt file.
Mklink link.txt \\server\folder\target.txt

If you enable remote symbolic links (discussed later in this section), they can be used to store symbolic links on shared folders and automatically redirect multiple Windows network clients to a different file on the network.

By default, you can use symbolic links only on local volumes. If you attempt to access a symbolic link located on a shared folder (regardless of the location of the target) or copy a symbolic link to a shared folder, you will receive an error. You can change this behavior by configuring the following Group Policy setting:

Computer Configuration\Administrative Templates\System\NTFS File System\Selectively Allow The Evaluation Of A SymbolicLink
When you enable this policy setting, you can select from four settings:
•             Local Link To Local Target Enabled by default, this allows local symbolic links to targets on the local file system.
•             Local Link To Remote Target Enabled by default, this allows local symbolic links to targets on shared folders.
•             Remote Link To Remote Target Disabled by default, this allows remote symbolic links to remote targets on shared folders.
•             Remote Link To Local Target Disabled by default, this allows remote symbolic links to remote targets on shared folders.

Enabling remote links can introduce security vulnerabilities. For example, a malicious user can create a symbolic link on a shared folder that references an absolute path on the local computer. When a user attempts to access the symbolic link, he will actually be accessing a different file that might contain confidential information. In this way, a sophisticated attacker might be able to trick a user into compromising the confidentiality of a file on his local computer.

By :-YOGENDRA
Posted by at No comments:
Subscribe to: Comments (Atom)